b'                                                                             Report No. DODIG-2014-080\n\n\n\n              I nspec tor Ge ne ral\n                                                U.S. Department of Defense\n\n              JUNE 10, 2014\n\n\n\n\n                     Assessment of DoD Processes\n                     in Support of Committee on\n                     Foreign Investment in the United\n                     States (CFIUS) Determinations\n                     and Foreign Ownership, Control,\n                     or Influence (FOCI) Mitigation\n\n\n\n\nI N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\x0c    I N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\n\n\n\n                                         Mission\n       Our mission is to provide independent, relevant, and timely oversight\n       of the Department of Defense that supports the warfighter; promotes\n       accountability, integrity, and efficiency; advises the Secretary of\n                  Defense and Congress; and informs the public.\n\n\n\n                                          Vision\n       Our vision is to be a model oversight organization in the Federal\n       Government by leading change, speaking truth, and promoting\n       excellence\xe2\x80\x94a diverse organization, working together as one\n                professional team, recognized as leaders in our field.\n\n\n\n\n                                     Fraud, Waste, & Abuse\n\n                                     HOTLINE\n                                     Department of Defense\n                                     d o d i g. m i l / h o t l i n e\n\n\n\n\nFor more information about whistleblower protection, please see the inside back cover.\n\x0c                               Results in Brief\n                               Assessment of DoD Processes in Support of Committee on\n                               Foreign Investment in the United States (CFIUS) Determinations\n                               and Foreign Ownership, Control, or Influence (FOCI) Mitigation\n\n\n\nJune 10, 2014                                    Findings (cont\xe2\x80\x99d)\n\nObjective                                        specifies security requirements for classified contracts\xe2\x80\x94as part\n                                                 of an enterprise system that manages the flow of contract\nThis report on the assessment of DoD             information to support industrial security within cleared\nprocesses to support Committee on Foreign        defense industry.\nInvestment in the United States (CFIUS)\ndeterminations and foreign ownership,\ncontrol, or influence (FOCI) mitigation\n                                                 Recommendations\nresponds to longstanding management              We recommend that the Under Secretary of Defense for\nconcerns      and   the  U.S.  Government        Intelligence (USD(I)), in coordination with the Under\nAccountability Office (GAO) high risk area       Secretary of Defense for Acquisition, Technology, and\nof ensuring the effective protection of          Logistics (USD(AT&L)), issue guidance that defines ownership\ntechnologies critical to U.S. national           of information, delineates responsibility for coordination\nsecurity interests.                              within respective Service and agency organizations, and\n                                                 outlines a consistent process flow for National Interest\nWe assessed the process for determining          Determinations to further a synchronized, integrated\nand relaying relevant threat information         approach to support CFIUS determinations and foreign\nand recommendations to the CFIUS, the            ownership, control, or influence mitigation. We further\nstrength of FOCI mitigation within cleared       recommend that the USD(I), in coordination with the\ndefense industry, and the effectiveness of       USD(AT&L), direct the creation of a centralized repository\nexisting tools to help FOCI mitigations and      for cleared defense contracts, to maintain DD Form 254s and\nCFIUS determinations.                            other contract security requirements for classified contracts,\n                                                 and designate the Defense Security Service as executive agent\n                                                 in its role as the National Industrial Security Program\nFindings                                         Cognizant Security Office for DoD, 26 non\xe2\x80\x91DoD agencies, and\nWe found that existing policies clearly define   approximately 13,500 cleared contractors.\nrequirements to support National Interest\nDeterminations, but they do not effectively\ndelineate roles and responsibilities to\n                                                 Management Comments\nsupport the Services, agencies, and the          Management concurred with the two main recommendations\nacquisition community resulting in a             and its comments were responsive. Management non-concurred\nsignificant backlog of decisions.                with designating at this time an executive agent for the\n                                                 DD Form 254 central repository. We require no further\nWe also found that a need exists for a           comment and will continue to monitor DD Form 254\ncentralized, accessible database to process      repository developments, along with the corresponding\nand store DD Form 254s\xe2\x80\x94a document that           Office of Management and Budget/Federal Register\n                                                 approval process.\n\nVisit us at www.dodig.mil\n\n\n                                                                     DODIG-2014-080 (Project No. D2012-DINT01-0159.000)\xe2\x94\x82 i\n\x0c                   Recommendations Table\n                                                                  Recommendations       No Additional\n                                        Management                Requiring Comment   Comments Required\n                    Under Secretary of Defense for Acquisition,                       A, B\n                    Technology, and Logistics\n\n                    Under Secretary of Defense for Intelligence                       A, B\n\n\n\n\nii \xe2\x94\x82 DODIG-2014-080 (Project No. D2012-DINT01-0159.000)\n\x0c                                   INSPECTOR GENERAL\n                                  DEPARTMENT OF DEFENSE\n                                  4800 MARK CENTER DRIVE\n                               ALEXANDRIA, VIRGINIA 22350-1500\n\n\n                                                                                    June 10, 2014\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n               \t TECHNOLOGY, AND LOGISTICS\n               UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE\n               DIRECTOR, DEFENSE SECURITY SERVICE\n\nSUBJECT:\t Assessment of DoD Processes in Support of Committee on Foreign Investment in the\n          United States (CFIUS) Determinations and Foreign Ownership, Control, or Influence (FOCI)\n          Mitigation (Report No. DoDIG-2014-080)\n\nWe are providing this report for your information and use. We issued a draft of this report\non February 10, 2014. This report responds to a request by a former Under Secretary of Defense\nfor Intelligence, to assess the efficacy of FOCI mitigation within the defense industrial base and\nreview the process for relaying relevant information to the CFIUS. It also responds to the\nU.S. Government Accountability Office high risk area of \xe2\x80\x9censuring the effective protection of\ntechnologies critical to U.S. national security interests.\xe2\x80\x9d\n\nWe considered comments from the Office of the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics, and the Office of the Under Secretary of Defense for Intelligence.\nManagement concurred with the two main recommendations and its comments were\nresponsive. Management non-concurred with designating at this time an executive agent for\nthe DD Form 254 central repository. We require no further comment and will continue to\nmonitor DD Form 254 repository developments, along with the corresponding Office of\nManagement and Budget/Federal Register approval process.\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 882-4860, or the Project Manager at (703) 699-7214 (DSN 499-7214).\n\n\n\n\n\t Anthony C. Thomas\n\t Deputy Inspector General for\n\t\t Intelligence and Special\n\t\t Program Assessments\n\n\n\n\n                                                                                          DODIG-2014-080\xe2\x94\x82 iii\n\x0c                  Distribution:\n\n                  Under Secretary of Defense for Acquisition, Technology, and Logistics\n                  Under Secretary of Defense for Intelligence\n                  Director, Defense Security Service\n                  Director, Missile Defense Agency\n                  Assistant Secretary of the Army for Acquisitions, Logistics and Technology\n                  Army Deputy Chief of Staff, G-2\n                  Assistant Secretary of the Air Force for Acquisition\n                  Administrative Assistant to the Secretary of the Air Force\n                  Assistant Secretary of the Navy for Research, Development, and Acquisition\n                  Deputy Under Secretary of the Navy for Plans, Policy, Oversight and Integration\n\n\n\n\niv \xe2\x94\x82 DODIG-2014-080\n\x0cContents\nIntroduction\nObjective__________________________________________________________________________________________2\nBackground_______________________________________________________________________________________3\n\nFinding A. DoD Policy Must Clearly Define NID Roles\nand Responsibilities _____________________________________________________________ 16\nConclusion______________________________________________________________________________________ 21\nRecommendation, Management Comments, and Our Response___________________________ 21\n\nFinding B. DoD Needs A Centralized and Transparent\nContractor Database ____________________________________________________________ 23\nConclusion______________________________________________________________________________________ 26\nRecommendation, Management Comments, and Our Response___________________________ 27\n\nAppendixes\nAppendix A. Scope and Methodology________________________________________________________ 30\n     Computer-Processed Data _ _____________________________________________________________ 30\n     Use of Technical Assistance______________________________________________________________ 30\n     Prior Coverage ___________________________________________________________________________ 30\n     GAO________________________________________________________________________________________ 30\nAppendix B. G-2 CFIUS Timeline_____________________________________________________________ 31\nAppendix C. DD Form 254____________________________________________________________________ 32\n\nManagement Comments\nUnder Secretary of Defense for Intelligence_________________________________________________ 34\nUnder Secretary of Defense for Acquisition, Technology, and Logistics___________________ 37\n\nAcronyms and Abbreviations______________________________________________ 39\n\n\n\n\n                                                                                                       DODIG-2014-080\xe2\x94\x82 v\n\x0c\x0c                                                                                                                                 Introduction\n\n\n\n\nIntroduction\nTo compete in a global economy, the United States must foster an environment\nthat encourages foreign investments. Foreign investments can increase a nation\xe2\x80\x99s\ngross domestic product, with a corresponding increase in labor productivity,\nwages, and employment. The United States is the world\xe2\x80\x99s leader in attracting\nforeign direct investments. Such foreign investments are not risk-free, as they can\npotentially result in unauthorized access to classified or sensitive information or\nadversely affect the performance on classified or unclassified contracts within\nthe defense industrial base.1 Accordingly, the United States must engender an\nenvironment that encourages foreign investments while protecting information\nvital to national security. These competing requirements should be considered\nwhen mitigating Foreign Ownership, Control, or Influence (FOCI) within cleared\ndefense industry,2 and reviewing industry mergers and acquisitions that are\nunder Committee on Foreign Investment in the United States (CFIUS) purview.\n\nMajor Weapons Systems FY 2013 Funding Requests\n\n\n\n\n  Source: FY2013 PRCP \xe2\x80\x93 Investment Categorization\n  Numbers may not add due to rounding\n\n\n\t1\t\n    The defense industrial base is the DoD, government, and private sector worldwide industrial complex capable of\n    performing research and development, and designing, producing, and maintaining military weapon systems, subsystems,\n    components, or parts to meet military requirements.\n\t2\t\n    Cleared defense industry is the DoD, government, and private sector worldwide industrial complex with capabilities to\n    perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or\n    parts to meet military requirements. Cleared defense industry does so in accordance with requirements established in the\n    National Industrial Security Program Operating Manual (NISPOM).\n\n\n\n\n                                                                                                                               DODIG-2014-080\xe2\x94\x82 1\n\x0cIntroduction\n\n\n\n                 DoD\xe2\x80\x99s FY 2013 acquisition funding request for weapons development, research,\n                 and sustainment totaled about $178.8 billion. DoD, through the Defense Security\n                 Service (DSS), also provides for reviewing FOCI concerns and administering\n                 mitigation instruments for cleared defense industry\xe2\x80\x94an essential partner in\n                 systems development.\n\n                 In addition, DoD, as a member of CFIUS, supports CFIUS determinations in\n                 two ways. First, through its intelligence components, DoD provides threat\n                 information to the Office of the Director of National Intelligence (ODNI), which\n                 develops the aggregate threat assessment for each CFIUS case. Second, DoD\n                 provides risk analyses which assess threat, vulnerability, and overall risk including\n                 proposals to mitigate risks for those companies where DoD equities require the\n                 analyses and proposals. This report reviews the FOCI and CFIUS processes to\n                 determine whether roles and responsibilities are clearly defined, whether these\n                 efforts are sufficiently synchronized and integrated in DoD, and whether additional\n                 tools are needed to help bring about a consistent, comprehensive approach to\n                 FOCI mitigation and CFIUS determinations.\n\n\n                 Objective\n                 This report responds to a request by a former Under Secretary of Defense for\n                 Intelligence, to assess the efficacy of FOCI mitigation within the defense industrial base and\n                 review the process for relaying relevant information to the CFIUS. It also responds to the\n                 U.S. Government Accountability Office (GAO) high risk area of \xe2\x80\x9censuring the\n                 effective protection of technologies critical to U.S. national security interests.\xe2\x80\x9d\n                 Thus, this report assesses:\n\n                          \xe2\x80\xa2\t The process for determining and relaying relevant threat information\n                             on a CFIUS transaction from the appropriate DoD intelligence agency\n                             to the DoD CFIUS lead and to the ODNI office responsible for the\n                             aggregate intelligence community position on threats posed by a\n                             CFIUS case;\n\n                          \xe2\x80\xa2\t The efficacy of FOCI mitigation within cleared defense industry; and,\n\n                          \xe2\x80\xa2\t The effectiveness of existing tools to support FOCI mitigation under\n                             the National Industrial Security Program Operating Manual (NISPOM),\n                             which in turn, is a contributing factor to CFIUS determinations when\n                             companies being acquired possess facility clearances.\n\n\n\n\n2 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                Introduction\n\n\n\nBackground\nA U.S. company is considered to fall under FOCI when a foreign interest has the\npower to direct or decide matters affecting that company\xe2\x80\x99s managing of\noperations in a way that may result in unauthorized access to classified information\nor cause an adverse effect on the performance of classified contracts.\n\nIt applies whether this power is direct or indirect, whether or not it is exercised,\nand whether or not it is exercisable through owning the U.S. company\xe2\x80\x99s securities\nby contractual agreement or other means.\n\nFOCI considerations of U.S. companies requiring access to classified information are\nexplicitly addressed in the NISPOM, which the Secretary of Defense is responsible\nfor issuing and maintaining. FOCI concerns are one element to consider during\nthe   CFIUS    review     process.    DoD   supports     these    programs   through   the\nsynchronized    efforts    of   its   security,   intelligence,   and   counterintelligence\ncommunities coordinating with the defense acquisition community.\n\nFOCI policy is an element of the National Industrial Security Program (NISP).\nThe policy was designed to ensure that classified information in the custody of\ncleared U.S. companies is protected from unauthorized access if a cleared U.S.\ncompany is or will be acquired, controlled, or influenced by foreign interests.\nWhen a cleared defense company is considered to be under FOCI, the U.S. company\nis ineligible for a facility security clearance unless and until security measures\n(e.g., certain mitigation instruments) have been installed to negate or mitigate\nthe FOCI. Similarly, CFIUS\xe2\x80\x94an interagency committee\xe2\x80\x94reviews mergers and\nacquisitions involving a foreign individual, corporation, or other entity as a buyer\nto determine the effect of such transactions on national security. In 2011,\nCFIUS reviewed 111 voluntarily-filed proposed mergers or acquisitions.\n\nThe Department of the Treasury serves as the CFIUS chair, with the other\nstatutory members consisting of the Departments of Justice, Homeland Security,\nCommerce, Defense, State, and Energy, the Office of the U.S. Trade Representative,\nand the Office of Science and Technology Policy.\n\nBy Executive Order, the President has added other Executive Office agencies\nas participants on the Committee, including the Office of Management and\nBudget, the Council of Economic Advisors, and the National Security Staff.\nThe Director of National Intelligence (DNI) and the Secretary of Labor are\nnon-voting, ex-officio members.\n\n\n\n                                                                                              DODIG-2014-080\xe2\x94\x82 3\n\x0cIntroduction\n\n\n\n                 While CFIUS and FOCI determinations under NISP authorities proceed along\n                 separate but parallel tracks, support for the programs is becoming increasingly\n                 coordinated and integrated. The primary difference between the determinations\n                 from an industry perspective is that for cleared defense industry, compliance\n                 with FOCI reporting is mandatory under NISP authorities, while the reporting\n                 to CFIUS of planned or completed mergers or acquisitions is voluntary (although\n                 CFIUS does have the authority to request notices and member agencies have\n                 the authority to file notices). Therefore, cleared defense contractors must report\n                 changed ownership conditions (i.e., \xe2\x80\x9cchange conditions\xe2\x80\x9d) to the DSS. The DSS\n                 reviews those required change-condition reports to determine if the degree of\n                 FOCI presented by the change requires carrying out a FOCI agreement or requires\n                 any       modifications          to    an     existing       FOCI      mitigation        or     negation        agreement.\n                 In contrast, CFIUS can only review mergers and acquisitions when a foreign\n                 entity could subsequently exert control of a business engaged in U.S. interstate\n                 commerce, filing a formal notice with CFIUS is primarily voluntary by firms involved\n                 in mergers and acquisitions and CFIUS action to impose mitigation measures\n                 or recommend Presidential action on a transaction is discretionary.\n\n\n                 Relevant FOCI Policies\n                 The primary authorities that provide for reviewing cleared defense contractors\n                 for FOCI concerns are found in three separate issuances:\n\n                               \xe2\x80\xa2\t Executive Order (E.O.) 12829, \xe2\x80\x9cNational Industrial Security Program,\xe2\x80\x9d\n                                   January 6, 1993, which established the NISP (E.O. 12829 was amended\n                                   by E.O. 12885 of December 16, 1993);\n\n                               \xe2\x80\xa2\t DoD Manual 5220.22, Chapter 2, \xe2\x80\x9cSecurity Clearances,\xe2\x80\x9d Section 3\n                                   \xe2\x80\x9cForeign Ownership, Control or Influence\xe2\x80\x9d of the NISPOM, which\n                                   identifies the criteria for FOCI\xe2\x80\x99s existence, establishes the requirements\n                                   for annual reviews of companies under FOCI, and details the forms and\n                                   certifications that address contractors\xe2\x80\x99 operating requirements; and,\n\n                               \xe2\x80\xa2\t Directive-Type Memorandum (DTM) 09-019, \xe2\x80\x9cPolicy Guidance for Foreign\n                                   Ownership, Control, or Influence,\xe2\x80\x9d September 2, 2009, which provides\n                                   further guidance on FOCI mitigation procedures, allows for greater\n                                   coordination on CFIUS matters, summarizes DoD policies, and clarifies\n                                   requirements for National Interest Determinations (NIDs).3 The current\n                                   DTM incorporates Change 6 of January 9, 2014.\n\n                 \t3\t\n                       A NID is a determination from a Government Contracting Activity that access to proscribed information is consistent with\n                       U.S. national security interests.\n\n\n\n4 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                      Introduction\n\n\n\nExecutive Order 12829\nIssued on January 6, 1993, E.O. 12829 established the NISP with the goal to\nprotect classified information that is released to contractors, licensees, and\ngrantees of the U.S. Government. E.O. 12829 stated that issuing contracts to\nnon-governmental organizations promotes national interests, but can result in\ncontractor access to classified information. For this reason, E.O. 12829 stipulates\nthat classified information released to contractors must be protected at levels\ncommensurate with those in the Federal Government. E.O. 12829 also stated\nnational security requires that an industrial security program promote U.S.\neconomic      and   technological    interests    without      redundancy     or   unnecessary\nrequirements. Accordingly, this E.O. designated the NISP as the \xe2\x80\x9csingle, integrated,\ncohesive industrial security program to protect classified information and to\npreserve our Nation\xe2\x80\x99s economic and technological interests.\xe2\x80\x9d To that end, it\nspecified creating the NISPOM to \xe2\x80\x9cprescribe specific requirements, restrictions,\nand other safeguards\xe2\x80\x9d for the handling of classified information.\n\n\nNational Industrial Security Program Operating Manual\nEstablished in 1993 by E.O. 12829, the NISPOM regulates protecting classified\ninformation    within   cleared     defense      industry.    The    NISPOM    stipulates    the\nprocedures and requirements for government contractors, concerning managing\nand   protecting    classified    information     within     the    defense   industrial    base.\nThe requirements are detailed in the NISPOM, which lists four Cognizant\nSecurity Agencies (CSAs)\xe2\x80\x94the Departments of Defense and Energy, the Central\nIntelligence Agency, and the Nuclear Regulatory Commission. The 2006 NISPOM\nalso lists 23 non-DoD agencies that have agreements with the Secretary of\nDefense to render industrial security services as the Executive Agent for the NISP.\n\nSince 2006, DoD has also entered into agreements with three other non-DoD\nagencies for a total of 26. Guidance with respect to FOCI is found in Chapter 2\n(see \xe2\x80\x9cRelevant FOCI Policies\xe2\x80\x9d) of the NISPOM. \xe2\x80\x85The section details requirements\nfor annual reviews of companies under FOCI and details the forms and\ncertifications that address contractors\xe2\x80\x99 operating requirements.\n\nThe NISPOM was amended in March 2013 to reflect changes which included\ncarrying out the provisions of Executive Order 13526, \xe2\x80\x9cClassified National\nSecurity   Information,\xe2\x80\x9d       December   29,     2009,      regarding   derivative   classifier\nidentification and training.\n\n\n\n\n                                                                                                    DODIG-2014-080\xe2\x94\x82 5\n\x0cIntroduction\n\n\n\n                 This amendment identified the authority of the DNI and acknowledged that\n                 intelligence    information     is   under     DNI      jurisdiction    and     control.    The    DNI\n                 establishes    security   policy     for    protecting     intelligence    information,      sources,\n                 methods, and analytical processes.\n\n\n                 Directive-Type Memorandum (DTM) 09-019\n                 Additional     guidance   for    FOCI      mitigation     was     issued   in    DTM       09-019,    a\n                 memorandum that details procedures and requirements and allows for greater\n                 coordination on CFIUS matters. \xe2\x80\x85It reconfirms the standards for FOCI\xe2\x80\x99s existence,\n                 specifies timelines to U.S. companies to appeal FOCI determinations, and says:\n                 \xe2\x80\x9cDSS shall also obtain and consider counterintelligence and technology transfer\n                 risk assessments from all appropriate USG sources.\xe2\x80\x9d The DTM also provides\n                 guidance with regard to NIDs, stipulating that when a foreign interest intends\n                 to merge with or acquire a cleared company with access to proscribed\n                 information, the government contracting activity shall review the FOCI action plan\n                 that the company proposed. A NID is required if a Special Security Agreement (SSA) is\n                 used to mitigate FOCI. DSS advises the Government Contracting Activities                          (GCA)\n                 regarding the need for a NID and the GCA determines whether a NID will be issued. \xe2\x80\x85A\n                 Deputy Secretary of Defense memorandum provides further guidance and additional\n                 requirements regarding the processing of NIDs.\n\n\n                 Key Stakeholder \xe2\x80\x93 FOCI\n                 Defense Security Service (DSS)\n                 The DSS is a Defense agency under USD(I) authority, direction, and control that\n                 serves as the DoD NISP Cognizant Security Office, providing industrial security\n                 oversight and support to Defense agencies, the Services, 26 non-DoD federal\n                 agencies, and approximately 13,500 cleared contractor facilities. The organization\xe2\x80\x99s\n                 core   operational    elements       are     the   Center       for    Development     of    Security\n                 Excellence, Industrial Policy and Programs, Industrial Security Field Operations,\n                 and Counterintelligence.\n\n                 In accordance with these responsibilities, DSS inspects, monitors, and provides\n                 assistance to the contractors, licensees, and grantees that require access to\n                 classified information.\n\n\n\n\n6 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                             Introduction\n\n\n\nAn April 2008 GAO report entitled \xe2\x80\x9cDepartment of Defense\xe2\x80\x84\xe2\x80\x93\xe2\x80\x84Observations on\nthe National Industrial Security Program\xe2\x80\x9d discussed the DoD NISP and identified\nareas for improvement related to FOCI. Specific to FOCI, the report identified\nthe following:\n\n         \xe2\x80\xa2\t concerns with how DSS collects and analyzes information needed to\n            assess oversight of both contractor facilities and contractors under FOCI;\n\n         \xe2\x80\xa2\t the lack of guidance to DSS field staff to effectively provide oversight\n            at contractor facilities under FOCI; and,\n\n         \xe2\x80\xa2\t the delay between cleared defense companies entering into foreign\n            business transactions and the reporting of such to DSS.\n\nSince the report\xe2\x80\x99s release, DSS has staffed analytical, assessment and evaluation,\nand   operational    offices   to   provide   continuous   monitoring   of   more   than\n10,000 cleared companies for change conditions, such as foreign acquisitions\nand provide proactive support for FOCI mitigation and oversight for more than\n350 cleared companies operating under FOCI mitigation agreements. DSS also\nreviews and monitors financial data to determine financial viability, foreign\nindebtedness, foreign capital contribution, and to compare company-reported\ninformation against commercial financial databases. In addition, DSS\xe2\x80\x99 analytical\nelements communicate change conditions to DSS oversight personnel through the\nNISP Facility Oversight weekly newsletter designed to increase awareness of change\nconditions within the NISP. \xe2\x80\x85Finally, DSS has instituted operational procedures for\nFOCI that identify responsibilities and provide for a consistent process to\nsupport the field elements in FOCI determinations and oversight within cleared\ndefense industry.\n\nCompanies entering into the NISP are required to complete a Standard Form-328\n(SF-328), \xe2\x80\x9cCertificate Pertaining to Foreign Interest,\xe2\x80\x9d to report the extent of foreign\nownership, control, or influence within their businesses. Companies self-report\nany change conditions to FOCI factors in accordance with the NISPOM and\na clarifying Industrial Security Letter.\n\n\n\n\n                                                                                           DODIG-2014-080\xe2\x94\x82 7\n\x0cIntroduction\n\n\n\n                 In May 2009, DSS conducted a beta test where FOCI analysts reviewed all SF-328\n                 forms for companies entering into the NISP regardless of company responses.\n                 The review revealed concerns that FOCI was underreported. For this reason,\n                 DSS now reviews all SF-328s and conducts independent analysis to validate\n                 the information that prospective cleared companies provide.\n\n                 During fiscal year 2012, DSS reviewed SF 328s for over 1,500 companies.\n                 Of those reviews, about nine percent of the companies in-process for a facility\n                 clearance         (FCL)4        had       unreported            FOCI        issues,       and       five      percent         had\n                 counterintelligence issues. Depending upon the nature and extent of the FOCI\n                 issues identified, DSS can require one of several mitigation instruments to minimize\n                 the risk of unauthorized disclosure of classified information.\n\n                 Distinct mitigation instruments are executed for corresponding levels of assessed\n                 risk. \xe2\x80\x85The first, a Board Resolution, is instituted when a foreign investor has a\n                 minority stake, is not a member of the governing board, and is not authorized\n                 to appoint or elect board members. A board resolution is a legally binding\n                 document from the organization\xe2\x80\x99s governing board acknowledging the foreign\n                 investors identified from the first phase of the FOCI process. The resolution\n                 prevents foreign investors from having unauthorized access to classified, or\n                 export-controlled information,5 and denies influence or control over projects\n                 involved with classified information. Another mitigation instrument called a\n                 Security Control Agreement is typically imposed for minority foreign ownership\n                 when the foreign owner does not effectively own or control the business and\n                 is entitled to representation on the cleared company\xe2\x80\x99s board. The foreign owner\n                 is permitted to retain a limited voice in managing the business, but is\n                 precluded          from        unauthorized             access         to     classified         or      export-controlled\n                 unclassified information.\n\n                 A Special Security Agreement is a mitigation agreement that may be used\n                 when a foreign entity effectively owns or controls a company, and, as a result,\n                 the SSA has more security restrictions than a Security Control Agreement.\n\n\n                 \t4\t\n                     A facility clearance or FCL is an administrative determination that, from a national security standpoint, a facility is eligible\n                     for access to classified information at the same or lower classification category as the clearance being granted. The FCL\n                     may be granted at the Confidential, Secret, or Top Secret level. \xe2\x80\x85The FCL includes the execution of a Department of Defense\n                     Security Agreement (DD Form 441). Under the terms of the agreement, the Government agrees to issue the FCL and inform\n                     the contractor as to the security classification of information to which the contractor will have access. The contractor, in\n                     turn, agrees to abide by the security requirements set forth in the NISPOM.\n                 \t5\t\n                     Unclassified information, the export of which is controlled by the International Traffic in Arms Regulations (\xe2\x80\x9cITAR\xe2\x80\x9d) and/\n                     or the Export Administration Regulations (\xe2\x80\x9cEAR\xe2\x80\x9d). The export of technical data, which is inherently military in nature, is\n                     controlled by the ITAR. The export of technical data, which has both military and commercial uses, is controlled by EAR.\n\n\n\n\n8 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                           Introduction\n\n\n\nThe SSA still allows the foreign owner a voice in the business management\nthrough representation on the company\xe2\x80\x99s governing board via one or more\nInside Directors, directors representing the interests of the foreign entity.\nHowever, the SSA also requires a minimum of three Outside Directors (or a number\ngreater than the number of Inside Directors) to act on the government\xe2\x80\x99s behalf.\n\nOutside Directors are independent directors nominated by the foreign interest and\napproved by DSS which do not have any personal or professional relationships to\nthe parties of the FOCI mitigation agreement. An SSA requires the following:\n\n        \xe2\x80\xa2\t a Technology Control Plan\xe2\x80\x94a security countermeasure that stipulates how\n           a company will prescribe measures to control access to non-U.S. citizen\n           employees and visitors to information for which they are not authorized;\n\n        \xe2\x80\xa2\t an Electronic Communications Plan\xe2\x80\x94which supports the separation of\n           networks and provides assurance that electronic communications do not\n           result in the unauthorized disclosure of classified or export\xe2\x80\x91controlled\n           information    or   exert   undue   influence   over   the   company;   and\n\n        \xe2\x80\xa2\t a visitation policy\xe2\x80\x94which outlines how visits from the foreign entity\n           will be controlled by the cleared company.\n\nAdditional mitigation instruments include Proxy Agreements and Voting Trust\nAgreements, which are more restrictive than other mitigation agreements and\ndo not require a NID for a cleared company to have contracts requiring access\nto proscribed information that include: Top Secret information; Communications\nSecurity information except controlled cryptographic items when either unkeyed\nor used with unclassified keys; Special Access Program information; Sensitive\nCompartmented information; and Restricted Data. This report will focus on SSAs,\nand, in some cases, the resulting need for NIDs.\n\nDSS is responsible for negotiating, executing, and administering mitigation\ninstruments in cleared defense industry and for making recommendations to the\nOUSD(I) on whether FOCI mitigation is adequate to address any national security\nconcerns for those CFIUS cases involving cleared defense contractors. In both\ncases, when an SSA mitigation instrument is in place and the company requires\naccess to proscribed information, DSS shall advise the GCAs of the need for a\nNID. In addition to GCA approval, concurrence from owners of the proscribed\ninformation (i.e. the National Security Agency for Communications Security\ninformation, the Department of Energy for Restricted Data, and the ODNI for\nSensitive Compartmented Information) must be obtained.\n\n\n\n                                                                                         DODIG-2014-080\xe2\x94\x82 9\n\x0cIntroduction\n\n\n\n                 Relevant CFIUS Policies\n                 CFIUS reviews mergers, acquisitions, or takeovers that may result in \xe2\x80\x9cforeign control\n                 of any person engaged in interstate commerce in the United States\xe2\x80\x9d (it may also\n                 consider whether the transaction could result in control of any \xe2\x80\x9ccritical\n                 infrastructure\xe2\x80\x9d that could impair national security). These transactions are defined\n                 as covered transactions and were defined as such in the Exon\xe2\x80\x91Florio provision, which\n                 is further detailed below. This report summarizes the following CFIUS laws,\n                 regulations, and guidance:\n\n                         \xe2\x80\xa2\t E.O. 11858, \xe2\x80\x9cForeign Investment in the United States,\xe2\x80\x9d May 7, 1975;\n\n                         \xe2\x80\xa2\t The Exon\xe2\x80\x91Florio Amendment to the Omnibus Trade and Competitiveness\n                            Act of 1988, Pub. L. No. 100-418, 102 Stat. 1107, \xe2\x80\x9cAuthority to Review\n                            Certain Mergers, Acquisitions, and Takeovers,\xe2\x80\x9d USC 50 App \xc2\xa7 2170,\n                            which established Presidential authority to block proposed mergers\n                            and acquisitions;\n\n                         \xe2\x80\xa2\t Public Law 110-49, \xe2\x80\x9cForeign Investment and National Security Act,\xe2\x80\x9d\n                            July 26, 2007, which formally established CFIUS under statute and\n                            clarified the process for national security reviews; and,\n\n                         \xe2\x80\xa2\t DoD Instruction 2000.25, \xe2\x80\x9cDoD Procedures for Reviewing and\n                            Monitoring Transactions Filed with the Committee on Foreign\n                            Investment in the United States (CFIUS),\xe2\x80\x9d August 5, 2010, which\n                            provides internal DoD guidance to support CFIUS.\n\n                 Executive Order 11858\n                 In establishing CFIUS, E.O. 11858 authorized the Secretaries of State, Treasury,\n                 Defense, and Commerce, and the U.S. Trade Representative, the Chairman of the\n                 Council of Economic Advisers, the Attorney General, and the Director of the Office\n                 of Management and Budget to serve as committee members, with the Secretary of\n                 Treasury as committee chair. \xe2\x80\x85The committee\xe2\x80\x99s primary responsibility is to monitor\n                 foreign investment in the United States by analyzing trends and developments.\n\n                 The committee is also tasked to provide guidance and review investments with\n                 possible major implications for U.S. national interests, and submit coordinated\n                 Executive Branch recommendations and analyses to the National Security Council\n                 and the Economic Policy Board, as warranted.\n\n\n\n\n10 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                           Introduction\n\n\n\nExon\xe2\x80\x91Florio Amendment\nEnacted under the Omnibus Trade and Competitiveness Act of 1988, the\nExon\xe2\x80\x91Florio Amendment modified Section 721 of the Defense Production Act\nof 1950 by establishing an investigative process to determine the effects on\nnational security of proposed mergers, acquisitions, and takeovers of U.S.\ncompanies by foreign interests. The Exon\xe2\x80\x91Florio provision gave a maximum of\n90 days to finish reviewing a proposed transaction. The decision to investigate\nhad to be made within 30 days. \xe2\x80\x85If so determined, a subsequent investigation had\nto be completed in 45 days. The President had to decide within an additional\n15 days whether action was to be taken to block the transaction. These timelines\nremain in effect.\n\nThe President designated CFIUS to administer the Exon\xe2\x80\x91Florio amendment in\nE.O. 12661, Section 3-201: \xe2\x80\x9cImplementing the Omnibus Trade and Competitiveness\nAct of 1988 and Related International Trade Matters\xe2\x80\x9d of December 27, 1988.\nWith   the   Exon\xe2\x80\x91Florio   amendment,    Congress      authorized   the   President   to\nreview foreign acquisitions, mergers, or takeovers of U.S. companies including\ndefense-related firms. The President gained the authority to suspend or prohibit\nsuch transactions if they presented \xe2\x80\x9ccredible evidence\xe2\x80\x9d of threats to national\nsecurity which could not be addressed by other laws.\n\n\nForeign Investment and National Security Act\nPublic Law 110-49, 50 United States Code, Appendix 2061, the Foreign\nInvestment and National Security Act (FINSA) was signed into law July 26, 2007,\nand added additional requirements to the Exon\xe2\x80\x91Florio Amendment. Previously\noperating under the authority of E.O. 11858, CFIUS was also formally established\nin statute under FINSA. The Secretary of Energy was added as a voting member\nand the Secretary of Labor and the DNI were added as non-voting members.\nUnder FINSA, the DNI is tasked to analyze the threat to the national security of\nthe United States posed by a covered transaction, and incorporate the views of\nintelligence agencies regarding these threats, although it is statutorily constrained\nnot to contribute to any subsequent policy discussions in CFIUS. \xe2\x80\x85The Act requires\nthat for each covered transaction, at least one member of CFIUS will be designated\nas a co-lead agency with Treasury. \xe2\x80\x85The duties of the co-lead agency(ies) include\nnegotiating, modifying, monitoring, and enforcing any agreement CFIUS enters\n\n\n\n\n                                                                                       DODIG-2014-080\xe2\x94\x82 11\n\x0cIntroduction\n\n\n\n                 into with foreign persons in order to mitigate national security risks. \xe2\x80\x85FINSA\n                 also provides CFIUS the authority to impose mitigation measures during a\n                 CFIUS investigation period without Presidential approval if the parties fail to\n                 agree to terms the Committee considers necessary to protect national security.\n\n                 The Act also stipulates that the designated lead agency continue to monitor\n                 mitigation instruments that they enter into on behalf of the Committee. While\n                 notifying CFIUS about a transaction remains voluntary, FINSA formalized the\n                 process which allows for unilateral initiating of reviews by CFIUS absent an\n                 industry filing. Moreover, FINSA stipulates that approved transactions can be\n                 undone if material information was found to have been deliberately withheld or\n                 misrepresented during the review.\n\n\n                 DoD Instruction 2000.25\n                 DoD Instruction 2000.25 establishes policy, assigns responsibilities, and provides\n                 instructions for DoD CFIUS reviews and designates primary responsibility for\n                 oversight of these efforts to the Under Secretary of Defense for Policy.\n                 However, in 2011, the Secretary of Defense directed that the lead DoD responsibility\n                 for CFIUS be transferred to the Under Secretary of Defense for Acquisition,\n                 Technology, and Logistics.\n\n                 The instruction also establishes the DoD CFIUS Monitoring Committee and\n                 prescribes procedures to both propose mitigation agreements that are then\n                 recommended to CFIUS, as well as monitor those agreements that CFIUS approves\n                 and the parties sign. It assigns responsibilities to over 20 DoD organizations,\n                 departments, and component heads to review and monitor CFIUS transactions\n                 where DoD equities exist and establishes internal timelines for CFIUS reviews\n                 that ensure compliance with Committee requirements.\n\n                 The instruction stipulates that the DoD CFIUS process should be transparent,\n                 to the extent possible. It also says organizations should address potential\n                 implications    for     relevant   DoD       programs,   assets,   and     future   technological\n                 superiority resulting from a foreign acquisition involving a defense supplier,\n                 defense-related       technologies,    and    infrastructure   critical    for   DoD   missions.\n                 The instruction further directs DoD Components that are members of the\n                 Intelligence Community to fulfill their alternate role of providing additional\n                 support   and     information         to   the    ODNI    regarding       threats   that   CFIUS\n                 transactions pose.\n\n\n\n\n12 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                     Introduction\n\n\n\nKey DoD Stakeholders \xe2\x80\x93 CFIUS\nOffice of the Under Secretary of Defense for Acquisitions, Technology,\nand Logistics\nAs previously noted, as part of the DoD Efficiencies Review, the Office of the\nSecretary of Defense transferred DoD lead responsibility for CFIUS to the\nUSD(AT&L), with the change becoming effective in October 2011. The primary\nCFIUS responsibility within the Office of the USD(AT&L) was delegated to the\noffice of the Deputy Assistant Secretary for Manufacturing and Industrial Base\nPolicy (MIBP). In this capacity, MIBP serves as the DoD representative to\nCFIUS, negotiates agreements with industry, and internally negotiates and prepares\nthe DoD position on CFIUS matters.\n\n\nOffice of the Under Secretary of Defense for Intelligence\nWhen acquisitions and mergers involve cleared defense contractors under DSS\noversight, the members of CFIUS understand that DSS evaluates FOCI mitigation\noptions under its NISP authorities. DoD does advise CFIUS of the results of the\nDSS FOCI mitigation determination. However, apart from the role that DSS\nplays in determining if FOCI mitigation is feasible under NISPOM guidance and\nthe particular form it should take, CFIUS members are also responsible for\ndetermining if CFIUS mitigation is required to protect national security for those\nparts of a transaction which are not covered by NISPOM authorities over\nclassified contracts.\n\nOperating under OUSD(I) authority, direction, and control, DSS coordinates\nproposed FOCI mitigation under NISP authorities through the OUSD(I). DSS gives a\nconsolidated OUSD(I) response to USD(AT&L) on mergers and acquisitions that are\nsubject to the FOCI program of the NISPOM and that also meet the definition of a\ncovered transaction under CFIUS. DSS also provides valuable information to\nUSD(AT&L) and CFIUS on FOCI mitigation and also briefs CFIUS on FOCI issues.\n\nIf after reviewing a case, DSS determines an acceptable level of FOCI mitigation\nand the GCA also finds the FOCI level acceptable, this information is reported\nto the OUSD(AT&L)/MIBP through OUSD(I). If DSS needs more time to complete\nits FOCI review than the 30 days afforded under the parallel CFIUS review,\nOUSD(I) requests a CFIUS investigation to enable DSS to complete its FOCI\ndecision process in time for the responsible DoD officials to complete their CFIUS\nconsideration within CFIUS statutory deadlines.\n\n\n\n\n                                                                                 DODIG-2014-080\xe2\x94\x82 13\n\x0cIntroduction\n\n\n\n                 In either case, CFIUS, as a group, must still conclude whether the FOCI\n                 mitigation negotiated by those member agencies with classified contracts is\n                 adequate to address any identified national security concerns and meet the\n                 statutory CFIUS clearance standard of no unresolved national security concerns.\n\n\n                 Services\n                 As the main source of classified contracts within DoD, the Services play an\n                 integral role in both CFIUS and FOCI determinations. \xe2\x80\x85As the GCA, the appropriate\n                 Service will receive communications with the filings attached from both the\n                 OUSD(AT&L)/MIBP and DSS if the transaction involves a cleared company\n                 advising of CFIUS notifications by companies under their purview and the parties\xe2\x80\x99\n                 FOCI mitigation proposal respectively.\n\n                 The   Services    review   the   information   and   submit   their   concurrence   or\n                 non-concurrence within the prescribed timeframes by the DoD CFIUS lead and\n                 DSS for DTM 09-019. When the proposed merger or acquisition involves cleared\n                 defense industry, established guidelines exist for the mitigation required under\n                 the FOCI authorities from DTM 09-019. However, determining whether appropriate\n                 CFIUS mitigation measures are required depends on the broader facts and\n                 circumstances of each case, and DoD components combine their respective\n                 assessments and make recommendations as part of the overall CFIUS review\n                 process, which considers the adequacy of existing law to address identified\n                 national security risks.\n\n                 In addition, one Service acquisition official said the Services need to better\n                 understand what the Office of the Secretary of Defense expects the Services to\n                 provide for a CFIUS review. He also said his office would appreciate standardizing\n                 the process to ensure that expectations are being met.\n\n\n                 Missile Defense Agency\n                 The Missile Defense Agency (MDA) International Security office is the designated\n                 lead for engaging appropriate MDA organizations that are accountable for\n                 reviewing, coordinating, and processing CFIUS cases. That office chairs the\n                 MDA CFIUS Coordination Team, which is supported by General Counsel; the\n                 Director, Research Development and Acquisition; Security; and a representative\n                 and an alternate from the Contracting Directorate, Special Programs; and the\n                 Counterintelligence Division.\n\n\n\n\n14 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                Introduction\n\n\n\nThe office has an internal 13-day timeline for processing CFIUS cases and for\nformulating and presenting MDA\xe2\x80\x99s position. CFIUS cases that have MDA equities\nare reviewed and evaluated using an established procedure that ensures\na comprehensive review for identifying any MDA concerns. The cases are\ncoordinated with other stakeholder Staff Directorates, and recommendations\nare formulated based on security evaluations and input received during the\ncoordination process. MDA\xe2\x80\x99s recommendations are forwarded to OUSD AT&L\nfor consolidating into a DoD position.\n\n\nDefense Intelligence Agency\nDoD Instruction 2000.25 charges the Director, Defense Intelligence Agency (DIA)\nwith providing analytical support to DoD-related CFIUS determinations. In turn,\nthe Director, DIA, delegated the responsibility to the Office of Technology and\nLong-Range Analysis, which provides risk assessments for mergers and acquisitions\nwith DoD equities. The information is provided internally to the Office of the\nSecretary of Defense for inclusion in a broader security threat assessment that\nthe CFIUS group within the National Intelligence Council prepares. The Council\nsupports the Director of National Intelligence as the head of the Intelligence\nCommunity     and   its   center   for   long-term   strategic   analysis.   At   DIA,   the\nTechnology    and    Long-Range      Analysis   office    prepares     assessments       that\ndetermine the technology transfer and diversion risks of CFIUS transactions\nbased on specific criteria. Of note, however, is that while the office does\nprovide analytical input, it does not offer recommendations on approving\nproposed mergers or acquisitions.\n\n\n\n\n                                                                                            DODIG-2014-080\xe2\x94\x82 15\n\x0cFinding A\n\n\n\n\n                 Finding A\n                 DoD Policy Must Clearly Define NID Roles\n                 and Responsibilities\n                 The Deputy Secretary of Defense memorandum, \xe2\x80\x9cImproving the Implementation\n                 of Policy Guidance for Foreign Ownership, Control, or Influence (FOCI)\xe2\x80\x9d of\n                 September 14, 2011, established requirements to ensure that GCAs make\n                 timely submissions of NIDs to authorize foreign-owned or controlled U.S.\n                 companies cleared under (or in process for a facility clearance under) an SSA\n                 access to proscribed information. Despite this memorandum, a persistent backlog\n                 of NIDs exists within some Services and organizations. This is due, in part, to\n                 existing security policy and guidance which, while establishing time requirements,\n                 does not provide for a consistent process among Services and organizations.\n                 The resulting backlog can delay facility clearances and may impede technically\n                 proficient         foreign-owned            U.S.     companies          from       fully     participating         in    the\n                 government contracting process.\n\n                 Determinations require coordination among internal DoD security, intelligence\n                 elements, and GCAs, and both internal and external government owners of\n                 proscribed information. For this reason, it is essential that DoD establish\n                 consistent processes DoD-wide. This will help ensure interagency coordination\n                 to bring about timely responses regarding NIDs.\n\n\n\n                 The NID Process Through NISP Authorities\n                 National Interest Determinations are an integral part of the FOCI program under\n                 NISP authorities. This holds true when classified contracts involve proscribed\n                 information6 and the decision whether to pursue a NID, along with an SSA will\n                 also affect the recommendations that DSS, OUSD(I), and the affected GCAs will\n                 make to the DoD CFIUS lead. When a cleared U.S. company performing on an\n                 existing classified contract with access to proscribed information is acquired by a\n                 foreign interest, or when a U.S. company cleared under an SSA wants to bid on a\n                 new contract requiring such access to proscribed information, DTM 09-019 directs\n                 DSS to advise the affected GCA that it requires a NID. The requirement for NIDs\n\n\n                 \t6\t\n                       Proscribed information includes Top Secret; Communications Security material, excluding Controlled Cryptographic\n                       Items when unkeyed or utilized with unclassified keys; Restricted Data; Special Access Program; and Sensitive\n                       Compartmented Information.\n\n\n\n\n16 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                    Finding A\n\n\n\napplies to new contracts pending issuance to existing SSA companies, and also\nto existing contracts when foreign interests acquire cleared companies and an\nSSA is the proposed mitigation.\n\nOnce the decision is made that a NID is required, DSS will alert the GCA of\nthat requirement. The GCA, in turn, will determine which office has authority\nover the contract and seek the necessary concurrences. DSS can supply threat or\nFOCI information to help an organization assess associated risk. An overarching\npolicy exists on requiring NID decisions within 30 days (allowing an additional\n30 days for NIDs requiring coordination with concurring agencies, i.e., National\nSecurity Agency for COMSEC, Department of Energy for Restricted Data, or the\nODNI for Sensitive Compartmented Information), but current processes and\nguidance do not support the timelines associated with the policy. After the\nGCAs   coordinate     the   prepared   NID    for   signature   within    their     respective\norganizations, the signed NID is forwarded to DSS, and DSS notifies the SSA\ncompany that the NID has been awarded. The complete NID package must\ninclude a security point of contact, but it also must be signed off at the\nacquisition-program executive-office level.\n\n\nDeputy Secretary of Defense National Interest\nDetermination Memorandum\nThe Deputy Secretary of Defense signed the NID memorandum to address the\npersistent backlog of pending NIDs. The memorandum cited the \xe2\x80\x9cslow,\ninconsistent,   and    often   unresponsive     consideration     of     national     interest\ndeterminations (NIDs) by government contracting activities (GCAs).\xe2\x80\x9d Accordingly,\neach DoD component head was required to provide the name of a senior official\n(e.g., senior acquisition executive or component equivalent), who would be\nresponsible and have the authority to make NID decisions for the component.\nComponent heads were advised that the names had to be provided to the\nUSD(AT&L), USD(I) and the Director, DSS, within 30 days of the memorandum\xe2\x80\x99s\ndate. The Deputy Secretary of Defense also stipulated that monthly reports be\nsent to the USD(I) and the USD(AT&L) on all pending NID requests more than\n30 days old. He said that the report would include the status of all NIDs\nawaiting   concurrence      from   non-DoD     owners     of    proscribed    information.\nWhen the memo was issued, about 300 unresolved determinations existed\nfrom current foreign owned companies operating under DSS approved SSAs.\n\n\n\n\n                                                                                             DODIG-2014-080\xe2\x94\x82 17\n\x0cFinding A\n\n\n\n                 The Deputy Secretary of Defense charged GCAs to resolve the backlog within\n                 60 days of the memorandum date. A NID status summary report from\n                 September 14, 2012\xe2\x80\x94slightly more than a year after the issuance of the memo\xe2\x80\x94\n                 listed 179 pending determinations from GCAs, with 31 requiring input from the\n                 owners of proscribed information (concurring agencies). The average length of\n                 time pending for GCAs was 458 days; the average length of time for input from\n                 concurring agencies was 278 days.\n\n\n                 Identified Concerns\n                 The Deputy Secretary of Defense memorandum on NID procedures sought to\n                 ensure   timeliness   and     accountability   for   determinations   by   requiring   the\n                 designation of a responsible senior official and submitting recurring reports\n                 detailing metrics for outstanding NIDs. The memorandum did not, however,\n                 establish a standardized process for the Services and organizations. \xe2\x80\x85The definition\n                 of a senior official is not clearly articulated. For example, the individual can\n                 either be a \xe2\x80\x9csenior acquisition executive\xe2\x80\x9d or a \xe2\x80\x9ccomponent equivalent.\xe2\x80\x9d This\n                 ambiguity of what qualifies as a component equivalent prevents standardizing a\n                 process that involves elements both internal and external to DoD. Of note, minutes\n                 from a February 2012 NID working-group meeting indicated that despite the\n                 September 2011 memorandum, several organizations had yet to identify a senior\n                 official. Accordingly, a follow-on memorandum was being sent to those GCAs\n                 who had not formally responded with a point of contact. The level of GCA\n                 non-compliance    indicates    that   a   standardized   process   among    organizations\n                 is absent.\n\n                 Information obtained via interviews with officials charged with supporting\n                 CFIUS determinations confirmed the need for a standardized approach for NIDs\n                 under NISP authorities. One official said that the process is \xe2\x80\x9cbroken\xe2\x80\x9d and that\n                 some of the Services used \xe2\x80\x9coutdated NID procedures.\xe2\x80\x9d It was also said that\n                 the information owners or concurring agencies often disregard NID requests\n                 instead of giving a timely response. One Service security official said a central\n                 issue is the absence of an identified line of communication between the security\n                 and acquisition sides to support the NID process. Without a central \xe2\x80\x9cbelly button,\xe2\x80\x9d\n                 no way exists to ensure the timely exchange of information. The Deputy Secretary\n                 of Defense memorandum does not specify that the designated senior official\n                 should be affiliated with security or acquisition; thus, the memorandum fails\n                 to address this concern.\n\n\n\n\n18 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                              Finding A\n\n\n\nAs   the   primary     GCAs,   the   Services   periodically   encounter   issues   when\ndetermining which office has authority for specific contracts. A Navy security\nofficial discussed the Navy\xe2\x80\x99s internal NID process. When security officials are\nnotified that a NID is needed, they must find the appropriate acquisition office\nwith cognizance over the contract. \xe2\x80\x85However, the contract can at times be joint, or\nunder the aegis of multiple organizations. Therefore, determining the responsible\nparty can be difficult. Also, the contract could be close to expiring, e.g., within the\nnext three months, or already expired. In such cases, some acquisition personnel\nchoose not to respond to the determination request because it has become\nirrelevant, or soon will be.\n\n\nSuccessful Practices (Army)\nOf all the Services, the Army had the greatest success coordinating the efforts\nof its intelligence, security, and acquisition communities. More specifically, the\nArmy has ensured timely responses from owners of proscribed information to\nsupport NIDs. This was accomplished when elements within Army Industrial Security\nand Counterintelligence underwent an independent process review to determine\nareas for improvement within its CFIUS program. \xe2\x80\x85The resulting changes included\nidentifying and training additional personnel and creating checklists, standard\noperating procedures, and documented workflows. \xe2\x80\x85In addition, a CFIUS case quality\ntracker was created to track deficiencies, and quality and completeness issues were\ncommunicated to external DoD organizations. Internal communication was also\nimproved by creating an inter-departmental governance structure. \xe2\x80\x85For areas where\nthe concern involved resource constraints, the Army identified low-cost workflow\nmanagement technology options.\n\nThe Army created checklists to ensure that requests to owners of proscribed\ninformation had the requisite data for information owners to submit responses\nwithout having to request additional information, thus proactively preventing\ndelays in NID processing under NISP authorities. Furthermore, the Army\ncreated template memos for respective owners of proscribed information, draft\njustifications   for   information    owner     determinations,    and     examples   of\ndeterminations to be forwarded to DSS. The Army G-2 worked diligently to be\nthe focal point for all NIDs and end the NID backlog. DSS sends the initial NID\nrequest to the Army G-2 and the Army G-2 would determine what Army\nelement was responsible. The Army G-2 tracked all the NIDs in a database until\na final NID determination was made and forwarded to DSS. The Army G-2\nalso collaborated with the Command and Industrial Security personnel to\nexplain the NID process and due dates.\n\n\n                                                                                       DODIG-2014-080\xe2\x94\x82 19\n\x0cFinding A\n\n\n\n                 While the new procedures played a major role in ensuring the timely processing\n                 of NIDs, Army G-2 also noted the presence within the Army acquisition office\n                 of \xe2\x80\x9cchampions\xe2\x80\x9d who improve communication between G2 and the Assistant Secretary\n                 of the Army for Acquisition, Logistics, and Technology. \xe2\x80\x85This advancement, along\n                 with education and training, are ways in which the Army has managed to\n                 achieve effective coordination between Army G-2 and Acquisition elements.\n\n                 The Army is currently transferring primary responsibility for CFIUS issues to its\n                 acquisition office, with direct support from the Deputy Assistant Secretary of the\n                 Army (Procurement) contract office. \xe2\x80\x85This is consistent with changes at the Office\n                 of the Secretary of Defense-level where OUSD AT&L MIBP has the lead for CFIUS\n                 matters. \xe2\x80\x85Moreover, because acquisition and contract offices are more readily able\n                 to identify responsible parties for NIDs under NISP authorities and for CFIUS\n                 reviews, the change should ensure continued timely processing of CFIUS cases.\n                 This change will also include continued coordination with Army G-2 and its\n                 Counterintelligence and Industrial Security elements. A chart detailing the\n                 coordinated efforts within the Army in support of CFIUS, as well as established\n                 timelines, is shown on Appendix B.\n\n\n                 Current Efforts\n                 The Government Industrial Security Working Group (GISWG) has also focused on\n                 issues related to delays in NID processing. The GISWG is a government working\n                 group that DSS chairs. It meets quarterly, or on an as-needed basis to address\n                 relevant security policy implementation related to industrial security matters.\n                 An October 2012 presentation at the GISWG stated that NIDs have been a topic\n                 of discussion for the GISWG and DoD for several years. The briefing referenced\n                 the Deputy Secretary of Defense memorandum on NIDs and acknowledged that\n                 despite the guidance, a backlog of over a year persists for some determinations.\n\n                 To address this problem, the GISWG established a separate working group to\n                 discuss creating \xe2\x80\x9cblanket\xe2\x80\x9d NIDs, or NIDs that authorize a scope of information\n                 broader than traditional NIDs, which are program, project, or contract specific.\n                 The working group, comprised of DoD, DSS, and concurring agencies established\n                 procedures and conditions for a limited blanket NID concurrence. Limited blanket\n                 NID concurrence will cover specific categories of proscribed information and enable\n                 approval for entire companies that meet specified criteria. The company must\n                 show a history of no International Traffic in Arms Regulations violations, and\n                 compliance with an SSA for a minimum of 10 years.\n\n\n\n\n20 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                       Finding A\n\n\n\nIn addition, a threat assessment, a FOCI assessment, and an annual security\nvulnerability assessment must be in place. The company or the GCA can originate\nthe request for a blanket NID concurrence. Additional criteria exist for applicants\nand once granted, companies will be required to maintain a \xe2\x80\x9cSatisfactory\xe2\x80\x9d or\nhigher security rating.\n\n\nConclusion\nThe Deputy Secretary of Defense memorandum sought to address \xe2\x80\x9cthe slow,\ninconsistent,   and       often        unresponsive     consideration    of   national   interest\ndeterminations (NIDs) by government contracting activities (GCAs).\xe2\x80\x9d                  Data from\nDSS and GISWG meeting minutes, however, show that a significant backlog of\ndeterminations still exists within some organizations. The persistent delays that\nremain in NID processing affect industry, the Services, organizations, and\nDoD headquarters.\n\nWhile the limited blanket NID concurrence will improve coordination issues with\nowners of proscribed information, it will not remedy incongruous DoD internal\nprocesses of GCAs. The issue of inconsistent NID processes within DoD Services\nand organizations can, and should be, addressed at the DoD headquarters level.\n\n\nRecommendation, Management Comments, and\nOur Response\nRecommendation A\nWe recommend that the Under Secretary of Defense for Intelligence, in\ncoordination with the Under Secretary of Defense for Acquisition, Technology,\nand Logistics, issue guidance that both delineates responsibility for coordination\nwithin respective Services and organizations, and outlines a consistent process\nflow for NIDs to further a synchronized and coordinated approach to support\nCFIUS determinations and FOCI mitigation.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe   Under     Secretary         of    Defense   for     Intelligence   concurred   with    our\nrecommendation and stated that a proposed directive-type memorandum is in\nthe DoD policy issuance process. The proposed directive-type memorandum is\nexpected to be approved and published by the third quarter of FY 2014.\n\n\n\n\n                                                                                                DODIG-2014-080\xe2\x94\x82 21\n\x0cFinding A\n\n\n\n                 Our Response\n                 The comments of the Under Secretary of Defense for Intelligence were responsive.\n\n\n                 Under Secretary of Defense for Acquisition, Technology, and\n                 Logistics Comments\n                 The Under Secretary of Defense for Acquisition, Technology, and Logistics also\n                 concurred with our recommendation.\n\n\n                 Our Response\n                 The comments of the Under Secretary of Defense for Acquisition, Technology, and\n                 Logistics were responsive.\n\n\n\n\n22 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                               Finding B\n\n\n\n\nFinding B\nDoD Needs A Centralized and Transparent\nContractor Database\nDoD elements involved in identifying and carrying out security requirements\npresently have limited access to the information necessary to support industrial\nsecurity. This is due, in no small part, to the absence of a central repository\nfor classified contracts and relevant documentation. The result is a cumbersome\nand   inefficient    process    to   verify,   track,    and    manage        relevant     contractor\ndocumentation.       A    centralized   database        will   help     ensure       consistent    and\ncoordinated efforts in DoD.\n\n\n\nDD Form 254\nDD    Form    254,       \xe2\x80\x9cDoD   Contract   Security      Classification      Specification,\xe2\x80\x9d      is   a\nsecurity-requirements document associated with the NISP. A DD Form 254 must\nbe included in any contract that requires access to classified information and\nis issued by a DoD component or Executive Branch Department or Agency that\nhas an agreement with DoD. At the time of preparing this report, 26 federal\nagencies have such agreements with DoD. DD Form 254 details for the contractor\nthe relevant security provisions required for protecting classified information\naccessed, generated, received, or otherwise associated with the contract. It also\nestablishes the scope of a contractor\xe2\x80\x99s security program. In addition, the form\nprovides the framework for the required DSS oversight of the contractor\xe2\x80\x99s\nsecurity program. \xe2\x80\x85A copy of DD Form 254 is provided in Appendix C.\n\nSome information provided in the DD Form 254 is captured in the DSS\nElectronic Facility Clearance (e-FCL) system. Currently, all companies in process\nfor a FCL or reporting a change condition are entered into e-FCL, which\nfunctions as a central repository of company information required for FCLs\nand FOCI mitigation. DSS is able to upload forms related to FOCI mitigation to\ninclude the mitigation agreement and its implementation procedures into e-FCL.\n\nThe system also retains relevant corporate information, which includes articles\nof incorporation and bylaws, key management personnel lists, shareholder\nagreements,    certificates     of   incorporation,      SF-328       \xe2\x80\x9cCertificate    Pertaining       to\nForeign Interest,\xe2\x80\x9d DD Form 441 \xe2\x80\x9cDepartment of Defense Security Agreement,\xe2\x80\x9d\nand DD Form 254.\n\n\n\n                                                                                                        DODIG-2014-080\xe2\x94\x82 23\n\x0cFinding B\n\n\n\n                 Presently, 65 percent of cleared contractors under DSS security cognizance have\n                 accounts in the e-FCL system. Regarding contractor-completed DD Form 254s,\n                 the system does not correlate the information entered with other systems because\n                 it is not an enterprise database. Accordingly, data is only as accurate as the\n                 information that is received.\n\n\n                 Identified Concerns\n                 DSS has identified several issues on how DD Form 254 and contractor\n                 information is processed. The absence of a central repository for classified\n                 contracts and relevant documentation results in limited access and visibility for\n                 the offices tasked with identifying and carrying out security requirements\n                 associated with those contracts. \xe2\x80\x85Before being entered into the e-FCL, DD Form 254s\n                 are received in either paper or PDF format and either faxed, emailed, or\n                 hand-carried to the appropriate offices. Identified issues include timeliness,\n                 accuracy, absence of verification of receipt, and lack of version control. The lack\n                 of   an   automated        centralized   process   for   creating,   submitting,   reviewing,\n                 modifying, approving and/or reapproving, and storing DD Form 254 results in a\n                 cumbersome, inefficient, and often ineffective process.\n\n                 DSS documents also identify concerns with how DD Form 254s are currently\n                 managed. Absent oversight for quality control, no means exist to prevent or\n                 reduce human errors or redundancies. \xe2\x80\x85No means are currently in place to ensure\n                 data integrity, visibility, and access control of the information contained in\n                 DD Form 254. While the information is unclassified, it is still important that the\n                 information contained therein be protected.\n\n                 While forms reside with the contractor, DD Form 254s are also sometimes\n                 distributed by the GCA to the DSS office with authority over the contractor.\n                 This distribution may include many organizations in support of the contract,\n                 including Program Managers, Prime Contractors, Subcontractors, GCAs, and the\n                 DSS field office with oversight of the contractor facility. The approximately\n                 13,500 cleared contractor facilities over which DSS has oversight retain copies of\n                 the form\xe2\x80\x94one per classified contract. Larger companies can have thousands\n                 of classified contracts.\n\n\n\n\n24 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                            Finding B\n\n\n\nOnce received by DSS, the forms may be retained in paper or PDF format in one\nof the 26 field office locations in separate facility file folders. GCAs may find it\ndifficult to determine the appropriate DSS field office for receipt of the form,\nparticularly for multiple-facility organizations where contract performance may\noccur at a division office, subsidiary, or cleared offsite location.\n\nMoreover, the relationships of cleared facilities within a corporate family can\nbe difficult to ascertain, making it hard to track a classified contract/program\nfrom   a     prime    contractor       through     the    various   tiers     of    subcontractors.\nConsequently, no efficient comprehensive process exists to track government\nprograms or technologies across the defense industrial base, and no mechanism\nexists for searching DD Forms 254 based on user-defined criteria.\n\nThe concerns listed above are also reflected in comments that the Services and\norganizations expressed identifying specific problems accessing or validating\ninformation provided on the DD Form 254.\n\nDuring the award of classified subcontracts, cleared prime contractors occasionally\nenter inconsistent requirements (e.g., the need to have access to COMSEC) and\nthat information is not vetted through a central repository or a granting agency.\nThis can add unnecessary upfront security costs and subsequently delay NIDs\nif a company incorrectly identifies requirements upfront for an SSA company,\nresulting in later requests for determinations from uninvolved information\nowners.      Both    Services    and    organizations      identified   the        inconsistency    of\ninformation provided in DD Form 254s. While the information is submitted in a\nstandardized form, it is not always correctly filled out. \xe2\x80\x85It was also pointed out\nthat USD(AT&L) had \xe2\x80\x9cscrambled\xe2\x80\x9d to meet time requirements for two CFIUS cases\nas a result of information that contractors had misidentified in boxes on\nDD Form 254.\n\nA related issue was also raised involving uncleared subcontractors, whose\nbusiness information is not listed in any type of industrial security repository.\nSuch subcontractors with significant foreign revenue or foreign connections\ncould present a FOCI concern if they are in the supply chain for components of\nclassified    technology.       The   issue   of   uncleared     subcontractors         within     the\ncleared contractor supply chain surfaced several times and warrants a separate\nin-depth     review     to   determine        potential    supply-chain       risks     to   cleared\ndefense industry.\n\n\n\n\n                                                                                                     DODIG-2014-080\xe2\x94\x82 25\n\x0cFinding B\n\n\n\n                 While no direct prohibition to using the DD Form 254 exists for unclassified\n                 contracts, the purpose of the form and its data collection is for contracts\n                 requiring      access      to    classified       information,        as     outlined       in    the    Federal\n                 Acquisition Regulation.\n\n\n                 Current Efforts\n                 GISWG meeting minutes, additional documents, and interviews reveal that the\n                 feasibility of creating a Contract Security Classification Specification/DD Form\xc2\xa0 254\n                 database has been discussed for several years. The project, however, has never\n                 been funded. The Army G-2 developed such a database to support its own\n                 sensitive     compartmented             information       contracts,       and     the     Army       Acquisition\n                 element has a database of unclassified contracts. No centralized DD Form 254\n                 database exists, however, for all DoD elements and the NISP. The Army\xe2\x80\x99s sensitive\n                 compartmented information database was reviewed to determine if it could serve\n                 as a model for a database to support DoD and NISP. It was decided that the\n                 database contained elements which could provide the foundation for a similar\n                 database supporting all DD Form 254 documentation. A demonstration of the\n                 Army system was provided to stakeholders to include all of the DoD components,\n                 Executive Branch Agencies, cleared contractors, OUSD(I), and the Information\n                 Security Oversight Office. A decision was made that the Army system could\n                 be modified to fulfill the greater need of the NISP. The DSS Office of the Chief\n                 Information Officer has initiated a project to use the Army system as the\n                 basis for a contract security requirements specification database. The intent\n                 is   to    collect      requirements       from     the     various        stakeholder       groups      pending\n                 contract      efforts     to    secure     a   requirements-definition                 subject-matter     expert.\n                 Requirements\xe2\x80\x91definition           workshops          will   then       be    established         with    various\n                 stakeholder groups.\n\n\n                 Conclusion\n                 A    single     repository        for     security      specifications           for     classified     contracts\n                 (e.g., DD Form 254s) within DoD, and within the cleared contractor community,\n                 can provide centralized access and visibility to all parties involved in the NISP.\n                 GCA can enter security specifications directly into the database at the beginning\n                 of the acquisition process, thereby reducing the likelihood that inaccurate and\n                 potentially unnecessary costly requirements will be added. Cognizant elements\n                 could have 24-hour access to their respective DD Form 254s via controlled\n                 access and role-based permissions. A centrally-managed database will help track\n\n\n\n\n26 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                               Finding B\n\n\n\nthe status of DD Form 254 through the life of the contract process, while also\nimproving quality and consistency via an automated creation, review, and\napproval process. It will also help in analyzing security trends among\nGovernment projects and programs.\n\nAt issue is whether Acquisition or Security will have accountability for the\nDD Form 254 database and the resulting enterprise system. Given its existing\nrelationship with cleared defense industry, and its role in administering the NISP\non behalf of the Secretary of Defense and user agencies, DSS is well-positioned\nto provide oversight for any resulting database and, as previously noted, is\nactively working to create a functioning database upon which an enterprise\nsystem could ultimately be constructed.\n\n\nRecommendation, Management Comments, and\nOur Response\nRecommendation B\nWe recommend that the Under Secretary of Defense for Intelligence, in\ncoordination with the Under Secretary of Defense for Acquisition, Technology,\nand Logistics, direct the creation of a centralized repository for cleared\ndefense contracts, to maintain DD Form 254s and other contract security\nrequirements for classified contracts, and designate the Defense Security\nService as executive agent in its role as the National Industrial Security Program\nCognizant Security Office for DoD, 26 non-DoD agencies, and approximately\n13,500 cleared contractors.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe Under Secretary of Defense for Intelligence concurred with the first part of\nour recommendation to direct the creation of a centralized repository for\ncleared defense contracts, to maintain DD Form 254s and other contract security\nrequirements for classified contracts. They stated that ongoing efforts by the\nDefense   Security   Service   for    developing   the   National   Industrial   Security\nProgram   Contract   Classification    System\xe2\x80\x94the    single   repository   for   contract\nsecurity classification specifications to support DoD and the National Industrial\nSecurity Program\xe2\x80\x94began in 2012. Further, the DoD Investment Review Board\nis evaluating the National Industrial Security Program Contract Classification\nSystem and the Review Board\xe2\x80\x99s approval is necessary before the Defense\nSecurity Service can obligate any funds to build the National Industrial Security\n\n\n\n\n                                                                                        DODIG-2014-080\xe2\x94\x82 27\n\x0cFinding B\n\n\n\n                 Program Contract Classification System. The Defense Security Service is also\n                 working with the Defense Procurement and Acquisition Policy Office, Office of\n                 the Under Secretary of Defense for Acquisition, Technology, and Logistics, to\n                 determine the possibility of co-developing the National Industrial Security Program\n                 Contract Classification System. Developing this system will reduce design and\n                 development lag time by leveraging an existing Under Secretary of Defense for\n                 Acquisition, Technology, and Logistics database.\n\n                 The Under Secretary of Defense for Intelligence did not concur with the last\n                 portion of our recommendation that requested the designation of the Defense\n                 Security Service as executive agent in its role as the National Industrial\n                 Security Program Cognizant Security Office for DoD, 26 non-DoD agencies, and\n                 approximately 13,500 cleared contractors. They stated that in coordination with\n                 OUSD(AT&L) they will reevaluate whether there is a requirement for an executive\n                 agent, during the development of the National Industrial Security Program\n                 Contract Classification System as well as the Office of Management and Budget/\n                 Federal Register information collection approval process. \xe2\x80\x85The Under Secretary\n                 of Defense for Intelligence anticipates approval of a revised DD Form 254\n                 information collection with DoD\xe2\x80\x99s updated industrial security policy in the\n                 second quarter of FY 2015.\n\n\n                 Our Response\n                 The comments of the Under Secretary of Defense for Intelligence were responsive\n                 to the recommendation. We will monitor the development of the DD Form 254\n                 central   repository,   and   the   corresponding   Office   of   Management   and\n                 Budget/Federal Register approval process, to determine the feasibility of an\n                 appointment. Otherwise, the response of the Under Secretary of Defense for\n                 Intelligence addressed all the specifics of the recommendation, and no additional\n                 comments are required.\n\n\n                 Under Secretary of Defense for Acquisition, Technology, and Logistics\n                 Comments\n                 The Under Secretary of Defense for Acquisition, Technology, and Logistics quoted\n                 the Under Secretary of Defense for Intelligence response to this recommendation,\n                 agreeing to the first portion of Recommendation B to direct the creation of a\n                 centralized repository for cleared defense contracts, to maintain DD Form 254s\n\n\n\n\n28 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                                     Finding B\n\n\n\nand   other    contract    security     requirements      for   classified   contracts.    They\nnon-concurred with the portion of the recommendation to designate the\nDefense Security Service as executive agent for the National Industrial Security\nProgram Contract Classification System.\n\n\nOur Response\nThe comments of the Under Secretary of Defense for Acquisition, Technology,\nand Logistics were responsive to the recommendation to create a centralized\nrepository for cleared defense contracts. We will monitor the development of\nthe DD Form 254 central repository, and the corresponding Office of Management\nand Budget/Federal Register approval process, to determine the feasibility of\nan appointment. Otherwise, the response of the Under Secretary of Defense for\nIntelligence   addressed    all   the    specifics   of   the   recommendation,      and    no\nadditional comments are required.\n\n\n\n\n                                                                                              DODIG-2014-080\xe2\x94\x82 29\n\x0cAppendixes\n\n\n\n\n                 Appendix A\n                 Scope and Methodology\n                 This assessment was conducted from April 2012 to July 2013, in accordance with\n                 Quality Standards for Inspection and Evaluation that the Council of the\n                 Inspectors General on Integrity and Efficiency issued. Those standards require\n                 that we plan and perform the assessment to obtain sufficient appropriate\n                 evidence to provide a reasonable basis for our findings and conclusions based\n                 on our assessment objectives. We believe that the evidence obtained provides\n                 a reasonable basis for our findings and conclusions based on our assessment\n                 objectives. To accomplish the objective, we reviewed relevant policies and guidance\n                 and interviewed officials responsible for carrying out FOCI mitigation and DoD\n                 support to CFIUS determinations.\n\n\n                 Computer-Processed Data\n                 We did not use computer-processed data to perform this assessment.\n\n\n                 Use of Technical Assistance\n                 We did not receive any technical assistance for this assessment.\n\n\n                 Prior Coverage\n                 During the last five years, the DoD OIG has issued no reports that have addressed\n                 issues specific to FOCI and CFIUS concerns. Unrestricted DoD OIG reports are\n                 at http://www.dodig.mil.\n\n\n                 GAO\n                 During the last five years, the GAO issued the following two reports addressing\n                 issues specific to FOCI and CFIUS concerns:\n\n                 GAO Report No. GAO-08-0695T, \xe2\x80\x9cDepartment of Defense: Observations on the\n                 National Industrial Security Program,\xe2\x80\x9d April 2008.\n\n                 GAO Report No. GAO-08-0320, \xe2\x80\x9cForeign Investment: Laws and Policies Regulating\n                 Foreign Investment in 10 Countries,\xe2\x80\x9d February 2008.\n\n                 Unrestricted GAO reports are at http://www.gao.gov.\n\n\n\n\n30 \xe2\x94\x82 DODIG-2014-080\n\x0c                         Appendixes\n\n\n\n\nAppendix B\nG-2 CFIUS Timeline\n\n\n\n\n                     DODIG-2014-080\xe2\x94\x82 31\n\x0cAppendixes\n\n\n\n\n                 Appendix C\n                 DD Form 254\n\n\n\n\n32 \xe2\x94\x82 DODIG-2014-080\n\x0c                           Appendixes\n\n\n\nDD Form 254 (cont\xe2\x80\x99d)\n\n\n\n\n                       DODIG-2014-080\xe2\x94\x82 33\n\x0cManagement Comments\n\n\n\n\n                 Management Comments\n                 Under Secretary of Defense for Intelligence\n\n\n\n\n34 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                  Management Comments\n\n\n\nUnder Secretary of Defense for Intelligence (cont\xe2\x80\x99d)\n\n\n\n\n                                                        DODIG-2014-080\xe2\x94\x82 35\n\x0cManagement Comments\n\n\n\n                 Under Secretary of Defense for Intelligence (cont\xe2\x80\x99d)\n\n\n\n\n36 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                 Management Comments\n\n\n\nUnder Secretary of Defense for Acquisition, Technology,\nand Logistics\n\n\n\n\n                                                       DODIG-2014-080\xe2\x94\x82 37\n\x0cManagement Comments\n\n\n\n                 Under Secretary of Defense for Acquisition, Technology,\n                 and Logistics (cont\xe2\x80\x99d)\n\n\n\n\n38 \xe2\x94\x82 DODIG-2014-080\n\x0c                                                                                   Acronyms and Abbreviations\n\n\n\n\nAcronyms and Abbreviations\n      CFIUS Committee on Foreign Investment in the United States\n   COMSEC Communications Security\n        DSS Defense Security Service\n      e-FCL Electronic Facility Clearance System\n     FINSA Foreign Investment National Security Act\n       FOCI Foreign Ownership Control or Influence\n       GAO Government Accountability Office\n    GISWG Government Industrial Security Working Group\n      MDA Missile Defense Agency\n      MIBP Manufacturing and Industrial Base Policy\n       NIDs National Interest Determinations\n       NISP National Industrial Security Program\n   NISPOM National Industrial Security Program Operating Manual\n      ODNI Office of the Director of National Intelligence\n     SF-328 Standard Form 328\n        SSA Special Security Agreement\n USD(AT&L) Under Secretary of Defense for Acquisition, Technology, and Logistics\n     USD(I) Under Secretary of Defense for Intelligence\n\n\n\n\n                                                                                              DODIG-2014-080\xe2\x94\x82 39\n\x0c\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions\non retaliation, and rights and remedies against retaliation for\nprotected disclosures. The designated ombudsman is the DoD Hotline\nDirector. For more information on your rights and remedies against\n     retaliation, visit www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                      Congressional Liaison\n               congressional@dodig.mil; 703.604.8324\n\n                             Media Contact\n                public.affairs@dodig.mil; 703.604.8324\n\n                        Monthly Update\n                dodigconnect-request@listserve.com\n\n                       Reports Mailing List\n                     dodig_report@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\n                           DoD Hotline\n                          dodig.mil/hotline\n\x0cD E PA R T M E N T O F D E F E N S E \xe2\x94\x82 I N S P E C T O R G E N E R A L\n                     4800 Mark Center Drive\n                   Alexandria, VA 22350-1500\n                         www.dodig.mil\n                 Defense Hotline 1.800.424.9098\n\x0c'